1
00:00:01,460 --> 00:00:07,100
Pending information gathering with Metasploit in this nature, we will analyze the very expensive and

2
00:00:07,490 --> 00:00:11,870
active techniques of information gathering in detail, actually not in the lecture in this section of

3
00:00:11,870 --> 00:00:12,230
our view.

4
00:00:12,230 --> 00:00:17,720
Then of course, from the beginning, we will analyze the most commonly used and most commonly neglected

5
00:00:17,780 --> 00:00:21,560
techniques of passive information gathering and then later reserves.

6
00:00:21,560 --> 00:00:24,530
We will focus on gaining information through the port scanning.

7
00:00:25,010 --> 00:00:30,800
Metasploit has several built in scanning capabilities, as well as some third party tools integrated

8
00:00:30,800 --> 00:00:34,310
with it to virtually and changed the process of port scanning.

9
00:00:34,760 --> 00:00:40,340
We will analyze both the image scanners as well as some of the people or Third-Party scanners, which

10
00:00:40,640 --> 00:00:42,440
work over the Metasploit Framework.

11
00:00:42,860 --> 00:00:48,350
So let's move onto the receipts and start our process of gaining information about our target.

12
00:00:49,220 --> 00:00:55,340
So we will start information gathering with the company domain name and get information about the company,

13
00:00:55,340 --> 00:01:02,810
search for subdomains to find targets, check for honeypot and gather email addresses and much more.

14
00:01:03,170 --> 00:01:04,040
So how to do it.

15
00:01:04,610 --> 00:01:09,770
The Metasploit Framework has several modules that for information gathering.

16
00:01:09,860 --> 00:01:13,610
So in this recibe, you will learn how to use some of these modules.

17
00:01:13,910 --> 00:01:20,030
However, I recommended that you will export all the axillary modules available in the framework.

18
00:01:20,630 --> 00:01:27,080
So let's we will start first name DNS record scanner here.

19
00:01:27,080 --> 00:01:32,480
So let's start our Metasploit here, and you can see the actual it's in.

20
00:01:32,630 --> 00:01:41,870
I will increase the font of my terminal little bit with, you know, actions or preferences and here

21
00:01:41,870 --> 00:01:42,560
behavior.

22
00:01:46,970 --> 00:01:47,420
Surely.

23
00:01:53,150 --> 00:01:56,240
Here is increased from a little bit.

24
00:02:01,970 --> 00:02:04,760
So let's open Limitless, what can you see it, actually?

25
00:02:05,090 --> 00:02:05,540
Clearly.

26
00:02:06,140 --> 00:02:06,500
Yes.

27
00:02:07,570 --> 00:02:16,420
So now we will start, um, Nathan, vertically, so immersive console, immersive console here.

28
00:02:19,370 --> 00:02:19,760
So.

29
00:02:21,510 --> 00:02:27,780
The teeniest DNS records Cannon and Enumerator axillary model can be used to gather information about

30
00:02:27,780 --> 00:02:34,680
a domain name from giving the in a server by performing various DNS queries such as loan transfers or

31
00:02:34,680 --> 00:02:41,770
reverse lookups, Asari records brute forcing and other techniques to run the axillary model.

32
00:02:41,780 --> 00:02:45,960
We use the use command followed by the model we want to use.

33
00:02:45,960 --> 00:02:49,410
In this case, we will run here.

34
00:02:49,740 --> 00:02:52,260
Uh, x dos here.

35
00:02:53,890 --> 00:02:54,210
U.S.

36
00:02:54,770 --> 00:02:58,640
And we will use auxiliary auxiliary.

37
00:03:01,850 --> 00:03:02,420
Gather.

38
00:03:04,480 --> 00:03:05,980
A new D.A..

39
00:03:06,910 --> 00:03:09,990
As you can see, we are now using this, actually.

40
00:03:10,360 --> 00:03:17,200
And then, uh, then, uh, you can then we can use the intercom to display the information about the

41
00:03:17,200 --> 00:03:23,620
model, such as there are two basic options and this great describes here descriptions here, as you

42
00:03:23,620 --> 00:03:24,310
can see here.

43
00:03:24,970 --> 00:03:32,080
Um, so this model is provided by Carlos Perez and this is the Carlos Perez Opera, uh, kind of his

44
00:03:32,080 --> 00:03:33,790
email address and website.

45
00:03:34,830 --> 00:03:40,460
So as you can see here, basic options, we have the and we will give the target's domain name and uh,

46
00:03:40,560 --> 00:03:43,690
we can give the enemy and the NSA any record.

47
00:03:44,220 --> 00:03:47,250
So initiate his own transfer against each DNS record.

48
00:03:47,250 --> 00:03:50,460
Actually, we can see here threats for any word here.

49
00:03:50,460 --> 00:03:50,880
Threats.

50
00:03:50,900 --> 00:03:52,560
It's a default one.

51
00:03:53,570 --> 00:03:54,080
And.

52
00:03:55,530 --> 00:04:02,500
This expansion by replacing the tilde with a T in until the list, we can enumerated the takes the record

53
00:04:02,520 --> 00:04:03,150
as here.

54
00:04:04,020 --> 00:04:07,920
So to run the model, we need to set the domain names.

55
00:04:07,920 --> 00:04:14,290
So and to make it, uh, run a bit faster, we will set the thread number to ten.

56
00:04:14,700 --> 00:04:17,640
So as you can see, we have variable here.

57
00:04:17,650 --> 00:04:18,450
This is the domain.

58
00:04:18,840 --> 00:04:20,040
This is the target domain.

59
00:04:20,190 --> 00:04:24,890
So in this case, our target domain will be our website.

60
00:04:25,050 --> 00:04:25,980
Take means dot com.

61
00:04:26,250 --> 00:04:29,910
So check out this very first website here.

62
00:04:30,570 --> 00:04:31,770
Take pins dot com.

63
00:04:34,290 --> 00:04:38,760
As you can see here, this is our website in Web, so.

64
00:04:44,300 --> 00:04:53,570
Yes, close it, and then we will set the website to our domain, so set domains, so we're we are assigning

65
00:04:54,020 --> 00:04:56,030
our variable name here.

66
00:04:56,210 --> 00:05:03,150
As you can see, there's a domain name and actually we can see, for example, airport as well.

67
00:05:03,350 --> 00:05:07,460
In this case, the airport is default 59 53.

68
00:05:07,700 --> 00:05:10,790
But in this case domain, we have to assign domain.

69
00:05:11,210 --> 00:05:18,110
Our target domain and these, as you can see here, this is the what is our opportunity to target port

70
00:05:18,110 --> 00:05:19,020
TCP port.

71
00:05:19,040 --> 00:05:22,400
So this is a default one and this is the target domain.

72
00:05:22,400 --> 00:05:28,280
So we will pinged our target domain, shall not change assigned domain.

73
00:05:28,580 --> 00:05:29,510
Take bins that.

74
00:05:30,830 --> 00:05:36,110
So as you can see, our domain is, um, ticketmaster.com, so let's use info again.

75
00:05:37,520 --> 00:05:44,260
As you can see here in our domain, current setting is changed, and this is that tech means that come

76
00:05:44,260 --> 00:05:44,560
now.

77
00:05:45,130 --> 00:05:46,060
And after that.

78
00:05:47,460 --> 00:05:53,400
We will set the trips to 10 or faster scanning, so threads set.

79
00:05:54,370 --> 00:05:58,000
Rats here, as you can see, this is a threat is default one.

80
00:05:58,210 --> 00:06:04,360
So how many threats do you will have the manifester your scanning will be?

81
00:06:04,630 --> 00:06:06,310
So three and threats 10.

82
00:06:06,550 --> 00:06:09,910
And after that, as you can see, let's run Infocom.

83
00:06:09,910 --> 00:06:15,400
And again, as you can see, our domain is ticketmaster.com and our trade is 10.

84
00:06:16,060 --> 00:06:20,140
So now let's run our exploit run.

85
00:06:33,410 --> 00:06:39,890
As you can see here, uh, looking at that, we can see that we are able to obtain several DNS records

86
00:06:40,250 --> 00:06:48,500
from the power of good domain, as you can see here, this is our website is Namecheap hosting and this

87
00:06:48,500 --> 00:06:54,740
is the IP address of our hosting and this is the subdomain for male and DNS Namecheap hosting, as you

88
00:06:54,740 --> 00:06:56,750
can see in the civil information here.

89
00:06:56,900 --> 00:06:59,770
But we that's more we have to do more.

90
00:06:59,780 --> 00:07:05,570
So the DNS record scanner and enumerator actually remodel can also be used for active information gathering

91
00:07:05,870 --> 00:07:10,640
using its brute forcing capabilities by setting enum.

92
00:07:11,990 --> 00:07:12,860
So let's change it.

93
00:07:13,010 --> 00:07:16,280
So as you can see here, this this is the enum BRT.

94
00:07:16,290 --> 00:07:19,430
This means brute force VRT is fast, as you can see it.

95
00:07:19,440 --> 00:07:24,410
So what this does, the bit is brute force subdomains and host names.

96
00:07:24,710 --> 00:07:31,040
We had this simply supplied more or less so in the next section, we will, uh, do that.

97
00:07:32,670 --> 00:07:33,930
I'm waiting you in the next issue.